2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (c) 2000-2002 Silicon Graphics, Inc. All Rights Reserved.
11 seqres=$RESULT_DIR/$seq
15 status=1 # FAILure is the default!
16 trap "_cleanup; exit \$status" 0 1 2 3 15
18 # get standard environment, filters and checks
27 [ -n "$TEST_DIR" ] && rm -rf $TEST_DIR/$seq.dir1
31 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
32 # This is set with chacl(1) and can be changed by chmod(1).
34 # Test that this is being set for ACL and for std unix permissions
35 # Test that we can get back the same ACL.
36 # Test std permissions for rwx.
39 # Test out default ACLs and that the ACL is being PASSed
40 # onto the children of the dir.
43 # Test out access check for extended ACLs.
44 # -> 3 extra ACEs: MASK, GROUP, USER
45 # -> the GROUP compares with egid of process _and_ the supplementary
46 # groups (as found in /etc/group)
48 # Test that mask works for USER, GROUP, GROUP_OBJ
49 # Test that the ACE type priority is working
50 # -> this would be done by simultaneously matching on ACEs
51 # -> interesting if it allows user to specify ACEs in any order
54 # real QA test starts here
71 echo "QA output created by $seq"
73 echo "=== Test minimal ACE ==="
76 # Note: as this is a shell script,
77 # will need read and execute permission set
78 # in order to execute it.
81 echo "Test was executed"
86 chown $acl1.$acl2 file1
90 echo "--- Test get and set of ACL ---"
91 echo "Note: Old interface gave an empty ACL - now output an ACL"
92 chacl -l file1 | _acl_filter_id
93 echo "Try using single colon separator"
94 echo "Note: Old interface FAILed because of single colon - new one allows it"
95 chacl u::r--,g::rwx,o:rw- file1 2>&1
97 chacl u::r--,g::rwx,o::rw- file1 2>&1
98 chacl -l file1 | _acl_filter_id
101 echo "--- Test sync of ACL with std permissions ---"
105 chacl -l file1 | _acl_filter_id
108 echo "--- Test owner permissions ---"
109 chacl u::r-x,g::---,o::--- file1 2>&1
110 chacl -l file1 | _acl_filter_id
112 echo "Expect to PASS"
113 _runas -u $acl1 -g $acl1 ./file1 2>&1
114 echo "Expect to FAIL"
115 _runas -u $acl2 -g $acl2 ./file1 2>&1
118 echo "--- Test group permissions ---"
119 chacl u::---,g::r-x,o::--- file1 2>&1
120 chacl -l file1 | _acl_filter_id
121 echo "Expect to FAIL - acl1 is owner"
122 _runas -u $acl1 -g $acl1 ./file1 2>&1
123 echo "Expect to PASS - acl2 matches group"
124 _runas -u $acl2 -g $acl2 ./file1 2>&1
125 echo "Expect to PASS - acl2 matches sup group"
126 _runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
127 echo "Expect to FAIL - acl3 is not in group"
128 _runas -u $acl3 -g $acl3 ./file1 2>&1
131 echo "--- Test other permissions ---"
132 chacl u::---,g::---,o::r-x file1 2>&1
133 chacl -l file1 | _acl_filter_id
134 echo "Expect to FAIL - acl1 is owner"
135 _runas -u $acl1 -g $acl1 ./file1 2>&1
136 echo "Expect to FAIL - acl2 is in group"
137 _runas -u $acl2 -g $acl2 ./file1 2>&1
138 echo "Expect to FAIL - acl2 is in sup. group"
139 _runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
140 echo "Expect to PASS - acl3 is not owner or in group"
141 _runas -u $acl3 -g $acl3 ./file1 2>&1
143 #-------------------------------------------------------
146 echo "=== Test Extended ACLs ==="
149 echo "--- Test adding a USER ACE ---"
150 echo "Expect to FAIL as no MASK provided"
151 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
152 echo "Ensure that ACL has not been changed"
153 chacl -l file1 | _acl_filter_id
154 echo "Expect to PASS - USER ACE matches user"
155 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
156 chacl -l file1 | _acl_filter_id
157 _runas -u $acl2 -g $acl2 ./file1 2>&1
158 echo "Expect to FAIL - USER ACE does not match user"
159 _runas -u $acl3 -g $acl3 ./file1 2>&1
162 echo "--- Test adding a GROUP ACE ---"
163 echo "Expect to FAIL as no MASK provided"
164 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
165 echo "Ensure that ACL has not been changed"
166 chacl -l file1 | _acl_filter_id
167 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
168 chacl -l file1 | _acl_filter_id
169 echo "Expect to PASS - GROUP ACE matches group"
170 _runas -u $acl2 -g $acl2 ./file1 2>&1
171 echo "Expect to PASS - GROUP ACE matches sup group"
172 _runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
173 echo "Expect to FAIL - GROUP ACE does not match group"
174 _runas -u $acl3 -g $acl3 ./file1 2>&1
176 #-------------------------------------------------------
179 echo "--- Test MASK ---"
182 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
183 chacl -l file1 | _acl_filter_id
184 echo "Expect to FAIL as MASK prohibits execution"
185 _runas -u $acl2 -g $acl2 ./file1 2>&1
188 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
189 echo "Expect to FAIL as MASK prohibits execution"
190 _runas -u $acl2 -g $acl2 ./file1 2>&1
193 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
194 echo "Expect to PASS as MASK allows execution"
195 _runas -u $acl2 -g $acl2 ./file1 2>&1
197 #-------------------------------------------------------
200 echo "--- Test ACE priority ---"
202 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
203 echo "Expect to FAIL as should match on owner"
204 _runas -u $acl1 -g $acl2 ./file1 2>&1
206 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
207 echo "Expect to PASS as should match on user"
208 _runas -u $acl2 -g $acl2 ./file1 2>&1
210 #-------------------------------------------------------
213 echo "=== Test can read ACLs without access permissions ==="
214 # This was a bug in kernel code where syscred wasn't being used
215 # to override the capabilities
216 chacl o::---,g::---,u::--- file1 2>&1
217 chacl -l file1 | _acl_filter_id
219 #-------------------------------------------------------
222 echo "=== Test Default ACLs ==="
223 # make test clearer by testing with and without umask
227 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
228 chacl -l acldir | _acl_filter_id
233 chacl -l file2 | _acl_filter_id
235 #ensure that umask is not having an effect
240 chacl -l file3 | _acl_filter_id
245 #-------------------------------------------------------
248 echo "=== Removing ACLs ==="
249 chacl -l file1 | _acl_filter_id
250 chacl -l acldir | _acl_filter_id
251 chacl -l acldir/file2 | _acl_filter_id
252 echo "Remove ACLs..."
255 chacl -R acldir/file2
256 echo "Note: Old interface would mean empty ACLs - now we show mode ACLs"
257 chacl -l file1 | _acl_filter_id
258 chacl -l acldir | _acl_filter_id
259 chacl -l acldir/file2 | _acl_filter_id
261 #-------------------------------------------------------
264 echo "=== Recursive change ACL ==="
267 pushd root >/dev/null
268 # create an arbitrary little tree
269 for i in 1 2 3 4 5 6 7 8 9 0
276 chown -R 12345.54321 root
278 _runas -u 12345 -g 54321 -- chacl -r u::rwx,g::-w-,o::--x root
279 find root -print | sort | xargs chacl -l
281 _runas -u 12345 -g 54321 -- chacl -r u::---,g::---,o::--- root
282 find root -print | sort | xargs chacl -l
284 #-------------------------------------------------------
287 echo "=== Test out error messages for ACL text parsing ==="
288 echo "Note: Old interface gave more informative error msgs"
294 chacl u:rumpledumpleunknownuser file1
295 chacl u:rumpledumpleunknownuser: file1
296 chacl g:rumpledumpleunknowngrp file1
297 chacl g:rumpledumpleunknowngrp: file1
298 chacl o:user1:rwx file1
299 chacl m:user1:rwx file1